On 2001-12-06 09:40:15 -0800, Gisle Aas wrote:
> > I've seen that URI::ftp sends the user name when doing ANONYMOUS ftp gets.
> > I see a lot of problems:
> > - Sending the user name if the user doesn't know that it's sent doesn't
> > protect the user state of ANONYMOUS
> > - Spyware is not a good idea, most users don't like it.
> > - Sending the user name helps SPAM instead of stopping it. Many ftp sites
> > use this information to send you unsolicited email.
> > - Sending the user name doesn't help ftp sites to know who the cracker is
> > crackers are not stupid to send their email address.
> > - Sending the user name can be used to discriminate the user.
> >
> > By all of these reasons I argue that URI::ftp to don't send the user email
> > by default.
>
> Minor correction: URI::ftp does not send anything. It just suggest a
> password for anybody that might ask. LWP::Protocol::ftp asks and will
> use this password to log in.
It doesn't mind who uses it. The code to enable SPAM mode is in.
> > Some time ago two very important ftp clients wget and lftp stopped
> > sending the user name as password based on my input.
> >
> > As more and more ftp clients are moving to this anonymous@ password
> > (for example the kde kio ftp, qt3, gnome-xml, Net::FTP)
> > I recommend you to apply the patch.
> >
> > I send you the bugfix.
> >
> > Hopping that you see all of these problems I wait for your comments.
> >
> > Eduardo P�rez Ureta
> >
> > --- URI/ftp.pm Fri Sep 11 09:54:04 1998
> > +++ URI/ftp.pm Sat Dec 1 11:29:52 2001
> > @@ -5,7 +5,6 @@
> > @ISA=qw(URI::_server URI::_userpass);
> >
> > use strict;
> > -use vars qw($whoami $fqdn);
> > use URI::Escape qw(uri_unescape);
> >
> > sub default_port { 21 }
> > @@ -31,25 +30,14 @@
> > my $user = $self->user;
> > if ($user eq 'anonymous' || $user eq 'ftp') {
> > # anonymous ftp login password
> > - unless (defined $fqdn) {
> > - eval {
> > - require Net::Domain;
> > - $fqdn = Net::Domain::hostfqdn();
> > - };
> > - if ($@) {
> > - $fqdn = '';
> > - }
> > - }
> > - unless (defined $whoami) {
> > - $whoami = $ENV{USER} || $ENV{LOGNAME} || $ENV{USERNAME};
> > - unless ($whoami) {
> > - if ($^O eq 'MSWin32') { $whoami = Win32::LoginName() }
> > - else {
> > - $whoami = getlogin || getpwuid($<) || 'unknown';
> > - }
> > - }
> > - }
> > - $pass = "$whoami\@$fqdn";
> > + # If there is no ftp anonymous password specified
> > + # then we'll just use -anonymous@
> > + # We don't send any other thing because:
> > + # - We want to remain anonymous
> > + # - We want to stop SPAM
> > + # - We don't want to let ftp sites to discriminate by the user,
> > + # host, country or ftp client being used.
> > + $pass = '-anonymous@';
>
> What does the leading '-' achieve?
Old ftp clients were confused by some servers that had an extense
welcome message. So if you send a '-' in front of the password they
wouldn't send that bunch of text.
It's not important. You can cut it without major consequences.
> > }
> > }
> > $pass;
Regards,
Eduardo
